CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,493 vulnerabilities with CWE-89
CVE-2026-4876 MEDIUM
itsourcecode Free Hotel Reservation System index.php sql injection
CVSS 6.3
CVE-2026-2511 HIGH
JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.4 - Unauthenticated SQL Injection via 'multiformid' Parameter
CVSS 7.5
CVE-2026-4850 HIGH
code-projects Simple Laundry System Parameter checkregisitem.php sql injection
CVSS 7.3
CVE-2026-4844 HIGH
code-projects Online Food Ordering System Admin Login admin.php sql injection
CVSS 7.3
CVE-2026-4842 HIGH
itsourcecode Online Enrollment System Parameter index.php sql injection
CVSS 7.3
CVE-2026-4841 HIGH
code-projects Online Food Ordering System Shopping Cart cart.php sql injection
CVSS 7.3
CVE-2026-4839 HIGH
SourceCodester Food Ordering System Parameter purchase.php sql injection
CVSS 7.3
CVE-2026-4838 HIGH
SourceCodester Malawi Online Market display.php sql injection
CVSS 7.3
CVE-2026-4836 MEDIUM
code-projects Accounting System delete.php sql injection
CVSS 6.3
CVE-2026-4826 MEDIUM
SourceCodester Sales and Inventory System HTTP GET Parameter update_stock.php sql injection
CVSS 6.3
CVE-2026-33917 HIGH
OpenEMR has SQL Injection in CAMOS Form
CVSS 8.8
CVE-2026-33914 HIGH
OpenEMR has SQL Injection in PostCalendar Category Delete
CVSS 7.2
CVE-2026-4825 MEDIUM
SourceCodester Sales and Inventory System HTTP GET Parameter update_sales.php sql injection
CVSS 6.3
CVE-2026-33910 HIGH
OpenEMR <=8.0.0.2 Patient Selection - SQL Injection
CVSS 7.2
CVE-2026-33909 MEDIUM
OpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Processing
CVSS 5.9
CVE-2026-29187 HIGH
OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php
CVSS 8.1
CVE-2026-33713 HIGH
n8n Vulnerable to SQL Injection in Data Table Node via orderByColumn Expression
CVSS 8.8
CVE-2026-33660 HIGH
n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode
CVSS 8.8
CVE-2026-32539 CRITICAL
WordPress PublishPress Revisions plugin <= 3.7.23 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-32534 HIGH
WordPress JS Help Desk plugin <= 3.0.3 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-32516 HIGH
WordPress Miraculous Core Plugin plugin < 2.1.2 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-32499 CRITICAL
WordPress ChatBot plugin <= 7.7.9 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-31920 CRITICAL
WordPress Product Rearrange for WooCommerce plugin <= 1.2.2 - SQL Injection vulnerability
CVSS 9.3
CVE-2026-27039 HIGH
WordPress WZone plugin <= 14.0.31 - SQL Injection vulnerability
CVSS 8.5
CVE-2026-25377 CRITICAL
WordPress Addon Jobsearch Chat plugin <= 3.0 - SQL Injection vulnerability
CVSS 9.3
Details
Vulnerabilities 19,493
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits